Analysis
-
max time kernel
130s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-02-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice GLV225445686.exe
Resource
win7v20201028
General
-
Target
Payment Advice GLV225445686.exe
-
Size
708KB
-
MD5
757844785304a9b94d0f994b24a2f177
-
SHA1
4d01dcfa4292530139fc7d9264466bafd63ab8ed
-
SHA256
9c3da492d0b98fec833d5217e46cee71fd67cf4d0bae48267cc4007095f096d2
-
SHA512
5d0c21c7648c2b618eb079bb2cf699f89a36deab5e360b9db3244b1213b1da967b248708999bc89c7d039c9afdb5b3c4756f34d3e6203d8ef3b1ca89cd5a8176
Malware Config
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1576-5-0x00000000045E0000-0x000000000468E000-memory.dmp beds_protector -
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1424-8-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1424-9-0x000000000047EA9E-mapping.dmp MailPassView behavioral1/memory/1424-11-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/688-16-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/688-15-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/688-19-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1424-8-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1424-9-0x000000000047EA9E-mapping.dmp WebBrowserPassView behavioral1/memory/1424-11-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/520-21-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/520-24-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1424-8-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1424-9-0x000000000047EA9E-mapping.dmp Nirsoft behavioral1/memory/1424-11-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/688-16-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/688-15-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/688-19-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/520-21-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/520-24-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Advice GLV225445686.exePayment Advice GLV225445686.exedescription pid process target process PID 1576 set thread context of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1424 set thread context of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 set thread context of 520 1424 Payment Advice GLV225445686.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Advice GLV225445686.exedescription pid process Token: SeDebugPrivilege 1424 Payment Advice GLV225445686.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Payment Advice GLV225445686.exePayment Advice GLV225445686.exedescription pid process target process PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1576 wrote to memory of 1424 1576 Payment Advice GLV225445686.exe Payment Advice GLV225445686.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 688 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe PID 1424 wrote to memory of 520 1424 Payment Advice GLV225445686.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice GLV225445686.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/520-24-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/520-22-0x0000000000442628-mapping.dmp
-
memory/520-21-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/688-16-0x0000000000411654-mapping.dmp
-
memory/688-19-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/688-17-0x0000000075A41000-0x0000000075A43000-memory.dmpFilesize
8KB
-
memory/688-15-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1424-14-0x0000000000660000-0x0000000000662000-memory.dmpFilesize
8KB
-
memory/1424-13-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/1424-11-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1424-10-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1424-9-0x000000000047EA9E-mapping.dmp
-
memory/1424-8-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1424-18-0x0000000004FD5000-0x0000000004FE6000-memory.dmpFilesize
68KB
-
memory/1512-25-0x000007FEF6780000-0x000007FEF69FA000-memory.dmpFilesize
2.5MB
-
memory/1576-2-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1576-7-0x00000000005B0000-0x00000000005BF000-memory.dmpFilesize
60KB
-
memory/1576-6-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/1576-5-0x00000000045E0000-0x000000000468E000-memory.dmpFilesize
696KB
-
memory/1576-3-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB